This Data Processing Addendum (the "DPA") is entered into by Culpepper and Licensee pursuant to the Terms of Service for Culpepper Compensation Surveys ("Agreement") between Culpepper and Licensee. This Addendum is subject to the terms of the Agreement and is incorporated into the Agreement by this reference. Capitalized terms used in this DPA will have the meaning set forth in the Agreement or as otherwise defined in this DPA. This DPA will remain in force until the latter of the expiration of the Subscription License Term and the date Culpepper no longer retains any Personal Information in its possession or control. Notwithstanding the foregoing, any provision of this DPA that expressly or by implication should continue in force on or after termination to protect Personal Information will remain in full force and effect.

1. DEFINITIONS

1.1. "Applicable Law" means all applicable federal, state, and foreign laws and regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction, each as may be amended from time to time. This includes, but is not limited to, the European Union General Data Protection Regulation ("EU GDPR") and United Kingdom's General Data Protection Regulation ("UK GDPR”).

1.2. "Data Subject" means an individual who is the subject of Personal Information.

1.3. "Personal Information" or "Personal Data" as used in Applicable Law) has the meaning as defined under the relevant Applicable Law.

1.4. "Privacy Breach" means any act or omission involving the accidental, unlawful or unauthorized destruction, loss, alteration, disclosure of or access to Personal Information.

1.5. "Processing, processes, or process" means any operation or set of operations which is performed upon Personal Information, whether by automatic or manual means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.6. "Services" means the services Culpepper is obligated to perform pursuant to the Agreement.

1.7. "EU Standard Contractual Clauses" or "EU SCCs" means the European Commission's standard contractual clauses for the transfer of Personal Data of EU Data Subjects from the European Union to third countries (Module Two with respect to Controller-Processor transfers and Module One with respect to Controller-Controller transfers, as applicable), as set out in the Annex to Commission Decision (EU) 2021/914.

1.8. "UK Standard Contractual Clauses" or "UK SCCs" means the addendum issued by the United Kingdom Information Commissioner's Office and approved by Parliament in accordance with s119A of the UK Data Protection Act 2018, which incorporates and amends the EU SCCs, available here: "UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses".

2. TYPES AND PROCESSING OF PERSONAL INFORMATION

2.1. The data that may contain Personal Information to be Processed by Culpepper consists of the following categories of information: job title, job description, compensation, and geographic location of job; solely with respect to Authorized Users: work email addresses, work phone numbers, and names.

2.2. The data that may contain Personal Information to be Processed by Culpepper involves the following categories of Data Subjects: current and former employees.

2.3. General Obligations and Limitations. As between the parties, Licensee is the controller (as defined under Applicable Law) and appoints Culpepper as a processor (as defined under Applicable Law) to Process Personal Information. While not the intention of the parties, Culpepper may also be a controller under certain circumstances for purposes of this DPA. Culpepper will Process Personal Information in compliance with Applicable Law at all times. Culpepper will not disclose Personal Information to any third party without first obtaining Licensee's written consent. Culpepper shall ensure that, at all relevant times during the term of the Agreement, all Culpepper personnel engaged in the Processing of Personal Information are subject to enforceable obligations to maintain the confidentiality of the Personal Information and to comply with the other relevant obligations and restrictions of this DPA.

2.4. Processing Limitation. Culpepper will process Personal Information solely for the purpose of performing the Services and in accordance with Licensee's instructions as issued from time to time in writing. Culpepper will collect only such Personal Information during the course of performing the Services as is strictly necessary for Culpepper to perform the Services. For the avoidance of doubt, Culpepper may incorporate Personal Information into the Culpepper Survey Data in a de-identified and aggregated manner as permitted by the Agreement.

2.5. Subcontractors. Culpepper may subcontract the Processing of Personal Information only after providing notice of such subcontracting (including the reasonably detailed information identifying the subcontractor) and the opportunity for Licensee to object to such subcontracting within 10 business days thereafter. For any proposed subcontractor, Culpepper will disclose to Licensee the geographic location(s) at which the proposed subcontractor will perform the Processing. If Licensee reasonably objects to the use of an identified subcontractor, Culpepper shall cease such subcontractors involvement with the Processing or, if the cessation of subcontractor’s involvement in the Processing is not commercially reasonable, Culpepper will notify Licensee of such circumstance and Licensee may terminate the Agreement immediately. All Processing by subcontractors must be subject to a written agreement between Culpepper and the subcontractor that requires the subcontractor to comply with the same obligations and restrictions as provided in this DPA, including express guarantees by the subcontractor to implement technical and organizational measures to ensure that Processing satisfies all requirements of Applicable Law. Culpepper shall remain responsible for the Processing of the Personal Information and for any acts and omissions of such subcontractors to the same extent as if such acts or omissions were performed by Culpepper.

2.6. Data Subject Requests.

2.6.1. Culpepper will reasonably cooperate with and assist Licensee in responding to any complaint, notice, communication, or Data Subject request with respect to Personal Information.

2.6.2. Culpepper will notify Licensee promptly if it receives any complaint, notice, or communication, or Data Subject request that relates to the Personal Information, Processing of Personal Information, or to either party's compliance with Applicable Law with respect to Personal Information.

2.7. Retention and Deletion. Culpepper may retain Personal Information only for the period of time required for Culpepper to perform the Services, or such longer period required by Applicable Law, required or permitted pursuant to the Agreement or requested in writing by Licensee. At Licensee's election, Culpepper will either delete or return to Licensee any Personal Information provided to Culpepper by Licensee and permanently delete all copies of such Personal Information in its possession or control at the expiration of such time period in accordance with any standards provided for deletion of data in the main body of the Agreement or, if the Agreement does not provide such standards, then in accordance with applicable industry standards for secure deletion of Personal Information.

2.8. Cross-Border Transfers.

2.8.1. Culpepper may only transfer Personal Information across national borders upon the prior written consent of Licensee and in compliance with Applicable Law.

2.8.2. If Culpepper collects, stores or otherwise Processes Personal Information in the European Economic Area, then Culpepper will not transfer the Personal Information outside the European Economic Area without the prior written consent of Licensee. Transfers of Personal Information of EU Data Subjects from the European Economic Area to another location and of Personal Information or UK Data Subjects from the UK to another location must be: (A) to a recipient that, either through its location or participation in a valid cross-border transfer mechanism under Applicable Law, may legally receive that Personal Information; (B) pursuant to the EU Standard Contractual Clauses (with respect to Personal Information of UK Data Subjects, the EU SCCs are subject to the amendments incorporated by the UK Standard Contractual Clauses; (C) pursuant to a valid Data Subject consent to the transfer that was obtained under Applicable Law; or (D) otherwise authorized by all applicable governmental authorities in the European Economic Area. The terms of the EU SCCs and the UK SCCs are incorporated herein by reference, as applicable.

3. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

3.1. Standards Culpepper will take all necessary technical and organizational security measures against the unauthorized or unlawful Processing of Personal Information and against the loss, alteration or destruction of, or damage to, Personal Information, including Privacy Breaches. Such technical and organizational measures will include at a minimum compliance with applicable industry standards for information security. Culpepper acknowledges that its duty to take security measures under this Paragraph 3.1 is in addition to, and does not limit, Culpepper's obligations to take appropriate technical and organizational security measures pursuant to Applicable Law.

3.2. Privacy Breaches.

3.2.1. Culpepper will notify Licensee within 72 hours of becoming aware of a Privacy Breach. The parties will thereafter coordinate with each other to investigate the Privacy Breach. Culpepper will reasonably cooperate with Licensee in the Licensee's handling of the matter, including: (i) investigating and assisting with any Licensee investigation into the Privacy Breach; (ii) taking reasonable steps to mitigate the effects of the Privacy Breach; and (iii) engaging in an assessment of the Privacy Breach to determine the cause of the Privacy Breach and remedial efforts that may be implemented to prevent future Privacy Breaches.

3.2.2. Culpepper will not inform any third party of a Privacy Breach without first obtaining the Licensee's prior written consent, except when law or regulation requires it.

3.2.3. Culpepper agrees that Licensee has the sole right to determine: (i) whether to provide notice of the Privacy Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in Licensee's discretion, including the contents and delivery method of the notice; and (ii) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

3.2.4. Culpepper will cover all reasonable expenses associated with the performance of the obligations under this Paragraph 3, unless the matter arose from Licensee's specific instructions, negligence, willful default, or breach of this DPA or the Agreement, in which case Licensee will cover all reasonable expenses.

4. AUDITS AND COMPLIANCE

4.1. Audits. Culpepper will permit Licensee and its third-party representatives to audit Culpepper's compliance with its DPA obligations, upon at least 30 days' notice, during the Subscription License Term and until the earlier of two years after this DPA terminates and the date Culpepper no longer retains any Personal Information in its possession or control. Such audits shall be conducted no more frequently than once every 12 months (except in the event of a Privacy Breach, in which case Licensee is permitted to conduct an audit within the 3-month period thereafter regardless of whether an audit has already been conducted within the 12 months immediately preceding the Privacy Breach) and shall be conducted in a manner least intrusive to Culpepper's business. Culpepper will give Licensee and its third-party representatives reasonable assistance to conduct such audits. The assistance may include, but is not limited to: (i) physical access to, remote electronic access to, and copies of Culpepper's systems, to the extent storing Personal Information (provided that Culpepper shall not be required to provide Licensee with data or access to data of any party other than Licensee); (ii) access to and meetings with any of Culpepper's personnel reasonably necessary to provide all explanations and perform the audit effectively; (iii) inspection of the infrastructure, electronic data, or systems, facilities, equipment, or application software used to store, process, or transport Personal Information (provided that Culpepper shall not be required to provide Licensee with data or access to data of any party other than Licensee); (iv) making available to Licensee information necessary to demonstrate compliance with Applicable Law; and (v) providing copies of reports resulting from any audits performed by Culpepper's internal personnel that include Processing or security of Personal Information within their scope.

4.2. Data Privacy Impact Assessment. Culpepper will reasonably assist Licensee with its legal obligations relating to carrying out a data protection impact assessment with respect to the Processing and, where legally required, consulting with applicable data protection authorities in respect of any proposed Processing activity conducted in connection with the Services and the performance of the Agreement where a data impact assessment indicates that the Processing presents a high risk to Data Subjects.

4.3. Compliance with DPA. Any failure of Culpepper to comply with this DPA constitutes a material breach of the Agreement. In such event, Licensee may terminate the Agreement or the applicable Processing, effective immediately, at its sole option upon written notice to Culpepper without liability or further obligation to Culpepper and without prejudice to any other remedies under this Agreement, at law or in equity.

4.4. Liability. Subject to the limitations set forth in Paragraph 13 of the Agreement, each party shall be liable to the other party for all loss, harm, cost (including reasonable attorney's fees), fines, expense, and liability that a party may suffer or incur as a result of the other party's breach or non-compliance with this DPA.

4.5. Indemnity. Culpepper agrees to indemnify, keep indemnified and defend at its own expense, Licensee against all costs, claims, damages or expenses incurred by Licensee or for which Licensee may become liable arising from any claim brought by an individual third party against, or fine imposed by a regulator upon, Licensee due to: (i) Culpepper's breach of any obligation contained in this DPA; and (ii) any failure by Culpepper, its employees, or its agents to comply with Applicable Laws. Licensee agrees to indemnify, keep indemnified and defend at its own expense, Culpepper against all costs, claims, damages or expenses incurred by Culpepper or for which Culpepper may become liable arising from any claim brought by an individual third party against, regulatory action against, or fine imposed by a regulator upon, Culpepper: (i) arising from or in connection with Licensee’s determination, delay or withholding of agreement regarding any Privacy Breach notification under Paragraph 3.2; and (ii) due to any failure by Licensee, its employees, or its agents to comply with Applicable Laws.

This Data Processing Addendum was last updated on January 29, 2023.